[strongSwan] Routing problem (source address change)

Rudolf Ladyzhenskii rudolfl at rumatech.com
Wed Aug 8 06:12:53 CEST 2012 

Hi, all

I have server and road warrior.

Here are configs (stripped down to only show essential bits):
server:
conn to_client
  rightsubnet=10.4.0.104/32
  rightcert=cert1t.pem
  rightsendcert=never
  right=%any
  left=%defaultroute
  leftcert=cert.pem
  leftsubnet=10.5.5.0/24
  leftsendcert=never
  keyexchange=ikev2
  auto=add


client:
conn to_server
        left=%defaultroute
        leftcert=cert1.pem
        leftsubnet=10.4.0.104/32
        right=58.96.102.3
        rightcert=/etc/ipsec.d/certs/cert.pem
        rightsubnet=10.5.5.0/24
        keyexchange=ikev2
        leftupdown=/opt/ipsec_updown
        auto=start

Basically, road warrior owns an IP address of 10.4.0.104 and wants to
access network 10.5.5.0/24 via IPSec.

IPSec establishes OK.
>From road warrior, I can not ping the host 10.5.5.72, unless I use
ping 10.5.5.72 -I 10.4.0.104

OK, I added a rule to do source NAT in updown script:
 ip ro add $PLUTO_PEER_CLIENT via 8.8.8.8 src $PLUTO_MY_CLIENT_NET

(I used bogus IP 8.8.8.8 to force packet routing).

That idea worked and, after establishing IPSec, I can access
10.5.5.0/24 network.

Now, for the real problem. Road warrior uses 3G modem to connect to
the Internet. So, IPSec is established via ppp0 interface. The rule I
added binds itself to ppp0 interface. I tried to specify a different
device, but this command fails, unless ppp0 is in use.
I tried:
ip ro add $PLUTO_PEER_CLIENT via 8.8.8.8 dev <DEV NAME> src
$PLUTO_MY_CLIENT_NET and, unless I use ppp0 as DEV NAME. (Error is:
RTNETLINK answers: No such process).
Consider situation. I run ping to 10.5.5.72 when routing rule is installed.

If ppp connection breaks, it is re-established. IPSec is not restarted.
Ping obviously breaks, rule dissappears from routing list as expected.

Re-instantiate the rule and try ping again. Ping fails with error;
connect: Invalid argument

The only way to recover now is to re-start ipsec. after ipsec restart,
pings go through normally again.

So, questions are:
1. What is the best practice to get source NAT to work.
2. When I am in the situation as described, what is happening to the
routing and how can it be fixed?


Thanks,
Rudolf

More information about the Users mailing list